Internal control, as defined in accounting and auditing, is a process for assuring achievement of an organization’s objectives in operational effectiveness and efficiency, reliable financial reporting, and compliance with laws, regulations and policies.
Internal controls are essential features of any organization that is run efficiently. However, it is important to realize (especially for an auditor) that internal controls have inherent limitations which include:
- a requirement that the cost of an internal control is not disproportionate to the potential loss which may result from its absence;
- internal controls tend to be directed at routine transactions. The one-off or unusual transaction tends not to be the subject of internal control;
- potential human error caused by stress of workload, alcohol, carelessness, distraction, mistakes of judgment, annoyance, and the misunderstanding of instructions;
- the possibility of circumvention of controls either alone or through collusion with parties outside or inside the entity;
- abuse of responsibility; management override of controls; fraud;
- changes in environment making controls inadequate;
- human cleverness – however secure the computer code designed to prevent access, there is always some hacker who gets in.
Auditors must always perform some substantive tests of material items as well as relying on internal controls. The inherent limitations of internal control are the reason.